Welcome to Disclosed.
Each week, 3 readers will win a 1-month PentesterLab Pro license, completely free. Refer a friend to the newsletter to enter.
Shout out to this week’s winners (I will email you):
bhavik_kanejiya
sumanthovs062
dexbugger
PentesterLab is one of the best hands-on platforms for learning web security, with real-world vulnerabilities, private labs, and practical exercises trusted by professionals and bug bounty hunters worldwide.
Huge thanks to PentesterLab for sponsoring this giveaway and supporting the Disclosed. community. ❤️
Hey there! Absolutely nothing went down this past week in the world… anyway, let’s dive in.
In This Issue
Opportunity: Join the Hacker Content Team as a Writer [🔗 Tweet]
by @hakluke
Join the Hacker Content team as a blog writer specializing in cybersecurity.
Read the full tweet →
Celebrating H16102 Award Winners [🔗 Tweet]
by HackerOne
Congratulations to the winners of various hacker awards at the Sydney Live Hacking Event, recognizing their significant contributions and collaborations.
Read more →
Bug Bounty Village Teases Something [🔗 Tweet]
by BugBountyDEFCON
👀
Read more →
Have something you want to Spotlight? Tell me.
Join the Beta for Hai: AI Security Agent for Hackers [🔗 Tweet]
by Jobert Abma
Participate in the beta testing for Hai, an AI-powered security agent tailored for hackers, with a limited number of spots available.
Read more →
Template Bounty Program [🔗 Blog]
by PDiscoveryIO
ProjectDiscovery has launched the Template Bounty Program, allowing community members to earn rewards for contributing valuable security templates. It’s a chance to support open-source efforts and gain recognition.
Read more →
Did I miss an important update? Tell me.
New Features in v5.8 of GAP Burp Extension Released [🔗 Tool]
by / XNL -н4cĸ3r
Version 5.8 of the GAP Burp Extension introduces enhancements to parameter lists and links discovery using modern JavaScript techniques.
Read more →
GitHub - Isira-Adithy/XSSpecter [📁 Tool]
By Isira-Adithy
XSSpecter is a modular toolkit for ethically testing Blind Cross-Site Scripting (XSS) vulnerabilities, featuring a CLI for automated payload spraying and a server for callback handling with a web dashboard.
Read more →
GitHub - RevoltSecurities/ZoomeyeSearch [📁 Tool]
by RevoltSecurities
ZoomeyeSearch is a command-line tool that leverages the ZoomEye search engine to assist in gathering intelligence on exposed services with extensive filtering and output options.
View the tool →
GitHub - Moopinger/smugglefuzz: [📁 Tool]
by Moopinger
SmuggleFuzz is a configurable HTTP scanner for identifying downgrade smuggling vulnerabilities, offering customizable scanning commands and detailed documentation for effective use.
View the tool →
Introducing SubWatch: Automated Subdomain Monitoring Tool [🔗 Tweet]
by Brut 🇮🇳
SubWatch automates subdomain monitoring with scheduled scans and alerts, aiding bug bounty hunters in their reconnaissance efforts.
Read more →
Have a favorite tool? Tell me.
Dependency Confusion Exploit Leads to RCE on Netflix [🔗 Blog]
by Lupin
A dependency confusion vulnerability discovered during collaboration between Assetnote and Depi results in remote code execution on Netflix.
Read the full blog →
Inside a Massive Healthcare Auth Bypass [🔗 Blog]
by Mayur Pandya
Security researchers uncovered a critical flaw in a healthcare platform that allowed them to hijack over 2,000 tenant accounts by manipulating authentication methods and exploiting poorly implemented SAML logic, all without user interaction.
Read the full blog →
Did I miss an important update? Tell me.
New Features Now Available in my Bug Bounty Hunting Framework | Beta Launch @ DEFCON 33 [🎥 Video]
by rs0n_live
Explore the new features of the Arson Framework version two, launching as an open beta at DEFCON 33, aimed at enhancing bug bounty hunting workflows.
Watch video →
Exploring AI Vulnerabilities and Payout Insights [🔗 Tweet]
by Critical Thinking - Bug Bounty Podcast
This podcast episode concludes a series on AI vulnerabilities, discussing the underlying thought processes and associated payouts.
Read more →
Exploiting Cache Server Normalization for Web Cache Deception | PortSwigger Lab | Explained [🎥 Video]
by Medusa
Learn how to exploit web cache deception vulnerabilities through cache server normalization, with practical techniques using Burp Suite.
Watch video →
How I Find High-Value Bug Bounty Leads (2025) [🎥 Video]
by Ergosum
Discover effective strategies for identifying high-value bug bounty leads, focusing on manual reconnaissance and exploration techniques.
Watch video →
CyberHub: Bug Bounty for Beginners, First Bug to High Impact with Soufian El Habti [🎥 Video]
by cyberhub
Soufian El Habti shares practical insights into starting with bug bounty programs and navigating the cybersecurity landscape effectively.
Watch video →
Did I miss something? Tell me.
Harnessing Wayback Machine, web-archive recon | YesWeHack [📓 Blog]
by YesWeHack
Explore the use of web archives for reconnaissance in bug bounty hunting, emphasizing techniques for analyzing archived data.
Read more →
Server-Side Template Injection (SSTI): Exploitation Guide [📓 Blog]
by Intigriti
This guide provides a thorough understanding of SSTI vulnerabilities, offering insights into their exploitation and methods for bypassing protections.
Read more →
Dependency Confusion · Learn my offensive security tradecraft [📓 Blog]
by Ghostlulz
This article discusses the vulnerability in package managers that allows attackers to exploit naming overlaps for remote code execution.
Read more →
The Most Underrated 0-Click Account Takeover Using Punycode IDN Homograph Attacks [📓 Blog]
by coffinxp
This article examines IDN Homograph Attacks where similar-looking characters can lead to account takeovers, emphasizing the need for better security measures.
Read more →
Exploring the Controversial End of Bug Bounty Programs [🔗 Tweet]
by Joseph Thacker (rez0)
This blog post discusses varying perspectives on the future of bug bounty programs, sparking contemplations within the community.
Read more →
I Fooled the Filters: Homoglyph Username Bypass Vulnerability — An Overlooked Threat in Major Platforms [📓 Blog]
by Aman Bhuiyan
The post highlights how visually similar Unicode characters exploit username restrictions on major platforms, detailing risks and responses from companies.
Read more →
Did I miss something? Tell me.
Encoding Techniques to Bypass IP Validation [🔗 Tweet]
by André Baptista
Review various encoding methods for IP addresses that may bypass validation checks, including decimal and hexadecimal examples.
Read more →
Using Param Miner for Effective Cache Busting in Burp Suite [🔗 Tweet]
by sw33tLie
Learn how to use the $randomplz variable in Burp Suite's Param Miner for effective cache busting to improve testing efficiency.
Read more →
Changing User-Agent Header with cURL for Bypassing Filters [🔗 Tweet]
by HackingHub
Learn how to modify the User-Agent header using cURL to aid in bypassing filters or evading bot detection.
Read more →
Using Interactsh as an Alternative to Burp Suite Pro [🔗 Tweet]
by Coffin
Explore Interactsh, a user-friendly alternative for security testing compared to Burp Suite Pro.
Read more →
Quick Subdomain Profiling Technique Shared [🔗 Tweet]
by bugcrowd
Discover a recommended method for profiling subdomains effectively, with a link to a useful resource.
Read more →
Bypassing Cloudflare 403 for Time-Based Blind SQL Injection [🔗 Tweet]
by N$
Technique to bypass Cloudflare's 403 errors for executing time-based blind SQL injection exploits with specific payload examples.
Read more →
Exploring Encoding Variants for XSS Payloads [🔗 Tweet]
by Anton
Check various encoding types for XSS payloads, as filters may block certain characters but not their Unicode versions, enhancing exploitation possibilities.
Read more →
AI Technique Reveals Sensitive Info in Markdown Images [🔗 Tweet]
by Joseph Thacker
Discover a novel technique that exposes sensitive information in images through reference style Markdown links.
Read more →
Rediscover Key Bug Bounty Write-Ups from Top Hackers [🔗 Tweet]
by Intigriti
Explore compelling write-ups from skilled hackers that provide valuable insights into web security.
Read more →
Did I miss something? Tell me.
Because Disclosure Matters: This newsletter was produced with the assistance of AI. While I strive for accuracy and quality, not all content has been independently vetted or fact-checked. Please allow for a reasonable margin of error. The views expressed are my own and do not reflect those of my employer.